Using $cookie For Sessions
Posted 28 June 2006 - 05:12 PM
I'm currently reading around the topic of sessions, and I've come to the conclusion that the PHP sessions handling is too complex for what I need. I don't need to store session variables because my databases already handle all of that. I just need a session check that spits out a UserID so that I know who is logged on, the rest is accounted for.
I'd thought of doing this with a MySQL table of SessionID|UserID and storing the SessionID in a cookie on logon and checking that cookie in later scripts. The book I'm reading has an example of a MySQL-based solution that does something weird involving writing custom session functions and inserting them behind the standard PHP session handling functions. Thing is that this seems overcomplicated. I don't need anything except a UserID, and to be honest I'd rather avoid stuff like this, as it seems to make something very simple in concept into something arcane and hard to figure out. I'm not a big fan of overcomplicating something for the sake of being a smartass.
So, is my custom method OK do you think? I would be just shoving a SessionID into a cookie, and later retrieving it from $_COOKIE and comparing it to the SessionID|UserID to check for a login. Would there be any security risks arising from it? (I presume that transplanting cookies is a risk with PHP sessions anyway?) Is there a 'good practice' reason why I shouldn't do this?
Posted 28 June 2006 - 05:22 PM
You dont have to use what the book says for session. You can use sessions with its defualt behaviou which is saving the session data to a file, this already setup:
<?php session_start(); $_SESSION['userID'] = USER_ID_HERE; ?>Then whenever you need to access the userID session make sure you have session_start(); at the top your script and use $_SESION['userID'] to access the userID
Some more advanced PHP programmers prefer to write thier own session handler, which is what your book is teaching you/telling you. However PHPs defualt session behaviour is fine.
Posted 28 June 2006 - 05:52 PM
Posted 28 June 2006 - 06:19 PM
Also sessions are secure becuase in order for a malicous hacker to get the contents of the session, they have to be on the same computer to read the cookie which stores the session id. Plus sessions expire when the user closes his browser window or when the session expires. The session expirary time set in the php.ini.
The only way to hack into someones session is by session fixation, explained above. [a href=\"http://www.oreilly.com/catalog/phpsec/\" target=\"_blank\"]this book[/a] explains in detail about session fixation.
Posted 28 June 2006 - 08:00 PM
Which is exactly what I do with my custom method. So what is the advantage of using PHP sessions over my method?
Also, I question why you have just told me at length about the issue of an attacker getting the cookie off the same computer, since I made clear in my post that I was 100% aware of this.
So, can I get an actual answer to the above question? I just want to make sure that there is no security or implementation issue here that I have missed, I am not looking for basic info about sessions. As far as I can see, my method is just as secure as PHP sessions. Is this correct or not? If not, why not?
Posted 28 June 2006 - 08:43 PM
Your method does this right of the bat becuase it is already done for you without the need for MySQL as wildteen stated:
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Session sets a cookie, which only stores the session id. Or ifcookies are disabled it'll show the session id in the url, The session id is autormatically generated and is unique. The session data itself is stored in locatation specified in the php.ini file[/quote]
With this code as an example:
<?php session_start(); $_SESSION['userID'] = USER_ID_HERE; ?>
There's nothing wrong with your method, cannot really say until we could see the code itself, but your duplicating and complicating what is already available to you and gaining nothing from it.
Posted 28 June 2006 - 09:13 PM
I wanted a MySQL based solution for a reason, so please don't compare apples (file-based) and oranges (MySQL based).
Is anyone actually going to answer the very simple question I asked?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users